Biometric authentication typically involves a comparison between a current biometric reading from a person attempting to authenticate and an expected biometric reading of the legitimate user. If these biometric readings do not closely match, authentication is considered unsuccessful and some follow-on or remedial activity usually takes place, e.g., a retry of authentication, step-up authentication, outputting an alert, and so on.
Some biometric authentication operations may involve a comparison of a current biometric reading to a blacklist of biometric readings. If the current biometric reading closely matches one of the biometric readings on the blacklist, authentication is considered unsuccessful or is deemed to be of higher risk thus warranting further scrutiny or action.
To create a blacklist of biometric readings, customers of an authentication service may combine biometric readings known to be fraudulent. For example, suppose that a fraudster successfully authenticates and completes a fraudulent transaction using a particular biometric reading. Once a customer discovers the fraudulent transaction, the customer may add that particular biometric reading to the blacklist. This blacklist is shared with other customers of the authentication service so that any further attempts to use the particular biometric reading among any of the customers results in unsuccessful authentication or further scrutiny/action.